>> Using OAuth with browserless devices is challenging, and perhaps it's >> more realistic to provide an API that allows the device to exchange the >> username/password for a scoped credential (Access Token). After >> obtaining the Access Token, the well behaved device should discard the >> password, and only store the Access Token persistently.
That's missing the point. If the device were well-behaved, there would be no need for OAuth -- the device could just keep the username/password. Granularity is good, it's not a security property; if the device can impersonate the user, then it's pointless (since the device can acquire whatever permissions it wants). The main benefit of OAuth is that the credentials *don't* flow through the Consumer, i.e., that there are no authentication gateways. The only way to provide a meaningful separation between the Consumer and the User's credentials with the Service Provider is if the User only has to provide his credentials to the SP. If you're trying to use OAuth in a context where the only thing that the user can interact with is your app, then you need to somehow provide the user a protected tunnel through your site to the SP -- an iframe, a pop-up, etc -- such that (1) your app can't see into the tunnel, and (2) the user (really, the UA) can authenticate that it's talking to the SP. Said differently, the transaction between the User and the Service Provider needs two security properties in order for OAuth to not be vulnerable to malicious Consumers: 1. Authentication: The SP needs to know that the User is genuine 2. Confidentiality: The verifier needs to be protected from the Consumer until the User gives it to him. These issues are discussed at some length in this document: <http://tools.ietf.org/html/draft-barnes-oauth-model-01> --Richard --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "OAuth" group. To post to this group, send email to oauth@googlegroups.com To unsubscribe from this group, send email to oauth+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/oauth?hl=en -~----------~----~----~----~------~----~------~--~---
